Distributed denial of service (DDoS) has long been an open security problem of the Internet. Most proposed solutions require the upgrade of routers across the Internet, which is extremely difficult to realize, considering that the Internet consists of a very large number of autonomous systems with routers from different vendors deployed over decades. A promising alternative strategy is to avoid the universal upgrade of router infrastructure and instead rely on an overlay of end systems. The prior anti-DoS overlays were designed to protect emergency services for authorized clients. They assume that trust exists between authorized clients and a private server. Only authenticated traffic can pass through the overlay network to reach the server, while the attack traffic is not admitted without passing the authentication. The follow-up extension of the anti-DoS overlays for web service has other serious limitations. This paper attempts to solve an important problem. How to design an anti-DoS overlay service (called AID) that protects general-purpose public servers while overcoming the limitations of the existing systems? Anyone, including the attackers, should be able to access the server. Authentication can no longer be the means of defense. While both normal and malicious clients are given the access, AID is designed to fend off attack traffic while letting legitimate-traffic through. Its operations are completely transparent to the users (humans or hosts), the client/server software, and the internal/core routers. To connect the AID service nodes (which are end systems), we choose a random overlay network for its rich, unpredictable connectivity, short diameter, and ease of management. We use a distributed virtual-clock packet scheduling algorithm to restrict the amount of data any client can impose on AID. We analyze the properties of the AID service based on probabilistic models. Our simulations demonstrate that AID can effectively protect legitimate-traffic from attack traffic. Even when 10% of all clients attack, just 1.4% of legitimate-traffic is mistakenly blocked, no matter how aggressive the attackers are.
式刚 陈;Yibei Ling;Randy Chow;Ye Xia
Computer Networks
2007-10-24
微信
科技工作者之家
京公网安备11010202008424号
